Hello,
I am trying to setup Subversion through Apache on Windows. We want to
authenticate against Active Directory and authorize various levels of
access based on Active Directory group membership. I've kind-of got
everything working but I have a couple of issues and wondered if anyone
else on the list has already worked around them.
We've been trying to keep it simple by just using out-of-the-box
components (i.e., by not rebuilding anything). So, we're using
mod_auth_ldap. The problems are:
1. mod_auth_ldap seems a little unstable. It appears to cause the Apache
service to crash when it performs an unbind request.
2. The user's Active Directory password is sent to the LDAP server in
clear text. We could mitigate this by using LDAP over SSL but I found an
article that said LDAP over SSL is not supported anymore (and I couldn't
work out how to configure it anyway - changing to an ldaps:// URL didn't
work). Using ethereal, I have noticed other LDAP clients running on our
network that encrypt the content of LDAP messages even though they still
use port 389. These messages contain references to 'GSS-API' - does that
mean that it's Kerberos?
I setup Apache 2.2 and configured its mod_authnz_ldap module which seems
to be much more stable but still has the encryption issue. Also, the
standard Windows distribution of Subversion isn't compatible with Apache
2.2.
This is the configuration I'm currently using:
- Apache 2.0.59
- Subversion 1.4.0 (r21228)
- Windows Server 2003 SP1 (both AD server and Subversion server)
- httpd.conf:
LoadModule ldap_module modules/util_ldap.so
LoadModule auth_ldap_module modules/mod_auth_ldap.so
<Location /svn>
# Subversion configuration
DAV svn
SVNParentPath C:/Repositories/Subversion
# Authentication
AuthType Basic
AuthName "Subversion Repository"
AuthLDAPUrl
"ldap://MyAdServer/OU=MyOu,DC=MyDomain,DC=com?sAMAccountName"
AuthLDAPBindDN "mydomain\adviewerusername"
AuthLDAPBindPassword "adviewerpassword"
# Authorization
<Limit GET PROPFIND OPTIONS REPORT>
Require valid-user
</Limit>
<LimitExcept GET PROPFIND OPTIONS REPORT>
Require group CN=DeveloperStaff,OU=MyOu,DC=MyDomain,DC=com
</LimitExcept>
</Location>
Any help will be greatly appreciated.
Thanks in advance,
Damian.
**********************************************************************
PRIVACY AND CONFIDENTIALITY NOTICE
This email, and any files transmitted with it, is strictly
confidential and intended solely for the person or organisation to
whom it is addressed. If it comes to the attention of any other
unauthorised person, no action may be taken on it nor should it be
copied or shown to any third party.
If you have received this email in error please return it
to postmaster@davislangdon.com
This email message has been swept for the presence of computer viruses.
**********************************************************************
<font face="Arial, Helvetica" style="font-size:7.6pt" color="black">Project Management | Cost Management | Management Consulting | Legal Support | Specification Consulting | Engineering Services | Property Tax & Finance<br clear="all"> </font><br><font face="Arial, Helvetica" style="font-size:7pt;" color="#808285">Davis Langdon LLP is a limited liability partnership registered in England and Wales with registered number OC306911. A list of members' names is available for inspection at MidCity Place, 71 High Holborn, London WC1V 6QS, the firm's principal place of business and registered office.<br><br>Davis Langdon LLP is a member firm of Davis Langdon & Seah International, with offices in: England, Scotland, Wales, Ireland, France, Spain, Poland, Lebanon, Bahrain, UAE, Qatar, Saudi Arabia, Egypt, Brunei, China, Hong Kong, India, Indonesia, Korea, Malaysia, Philippines, Singapore, Thailand, Vietnam, Australia, New Zealand, South Africa, Botswana and the USA</font><br><br><hr><font face="Arial, He
lvetica" style="font-size:7pt" color="black">PRIVACY AND CONFIDENTIALITY NOTICE<br><br>This email, and any files transmitted with it, is strictly confidential and intended solely for the person or organisation to whom it is addressed. If it comes to the attention of any other unauthorised person, no action may be taken on it nor should it be copied or shown to any third party. This email message has been swept for the presence of computer viruses.<br><br>If you have received this email in error please return it to <a href="mailto:postmaster@davislangdon.com">postmaster@davislangdon.com</a><hr></font>
_____________________________________________________________________
This e-mail has been scanned for viruses by Verizon Business Internet Managed Scanning Services - powered by MessageLabs. For further information visit http://www.mci.com
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Wed Oct 25 10:42:35 2006